Back to Control Explorer



Control Acronym



System And Information Integrity

CMMC Level


800-171 Control #


CMMC Description

Use threat indicator information relevant to the information and systems being protected and effective mitigations obtained from external organizations to inform intrusion detection and threat hunting.

CMMC Clarification

When conducting cyberattacks the attackers tend to operate using certain patterns of behavior or exploit capabilities. This collection of patterns and capabilities are known as Tactics, Techniques, and Procedures (TTP). An organization can build their knowledge of attacker TTPs by participating in Information Sharing and Analysis Centers (ISAC) for their industry. An ISAC collects cyber threat information relevant to the industry and its members in order to improve the cyber posture of that industry. Based on the lines of business an organization may consider more than one ISAC. An organization may also acquire TTPs through commercial providers in order to integrate into various technologies. Example You are the manager of the Security Operations Center (SOC) and have recently added a role to perform cyber threat hunting. You have been tasked to set up the process for the SOC. You first identify relevant sources of threat information for the organization. You have the organization join the National Defense ISAC and begin to interact with peers in the ISAC. You capture events in your organization and share the TTPs with your peers. In return, they share new TTPs with you. After downloading the TTPs, you build queries against the SOC’s central repository for recurring searches. You also acquire a commercial threat indicator feed of suspicious domains, known malware hashes, and IP addresses. You use these to supplement a custom intrusion detection system. ADDITIONAL READING National Council of ISACs: NIST Special Publication 800-150: Guide to Cyber Threat Information Sharing: Homeland Security Systems Engineering & Development Institute Cyber Threat Modeling:

800-171 Description

800-171 Discussion


Other Source Discussion

DRAFT NIST SP 800-171B The constantly changing and increasing sophistication of adversaries, especially the advanced persistent threat (APT), make it essential that threat information relating to specific threat events (e.g., TTP, targets) that organizations have experienced, mitigations that organizations have found are effective against certain types of threats, and threat intelligence (i.e., indications and warnings about threats that can occur) be sourced from and shared with trusted organizations. This information can be used by organizational Security Operations Centers (SOC) and incorporated into monitoring capabilities. Threat information sharing includes threat indicators, signatures, and adversary TTP from organizations participating in various threat-sharing consortia, government-commercial cooperatives, and government-government cooperatives (e.g., CERTCC, US-CERT, FIRST, ISAO, DIB CS Program). Unclassified indicators, based on classified information but which can be readily incorporated into organizational intrusion detection systems, are available to qualified nonfederal organizations from government sources.

CIS Control References

NIST 800-53 Control Ref.

CMMC Derived

NIST CSF Control References

NIST 800-171 References

Applicable FAR Clause

NIST CSF Control Reference

NIST CSF v1.1 ID.RA-2, ID.RA-3

CERT RMM Reference

Modification of NIST 800-171B Reference

NIST 800-171B Reference

Draft NIST SP 800-171B 3.14.6e

UK NCSCCyber Reference

AS ACSC Reference


Assessment Sub-Criteria 1

Assessment Sub-Criteria 2

Assessment Sub-Criteria 3

Assessment Sub-Criteria 4

Assessment Sub-Criteria 5

Assessment Sub-Criteria 6

Assessment Sub-Criteria 7

Assessment Sub-Criteria 8

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15